This document describes the planned feature set for Gloom Scroller. Some features described below may not yet be available in the current beta.

GLOOM SCROLLER PRIVACY POLICY

Last Updated: March 22, 2026

1. Introduction

MH Fintech Pty Ltd ("Gloom Scroller," "we," "us," or "our") is a personal wellness app that helps you manage social media usage by requiring brief physical exercise before accessing selected apps. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Gloom Scroller iOS app (the "App").

By using the App, you accept the terms of this Privacy Policy. If you do not accept, please do not use the App.

Health data consent: Before your first heart rate measurement, we ask for your explicit consent to process your heart rate data entirely on your device for exercise verification and related app functionality. This data is never transmitted to any server. If you do not consent, heart-rate-based features will not work. You may withdraw consent at any time by stopping further measurements and deleting your data from Settings > Reset Everything. Withdrawing consent does not affect processing carried out before withdrawal.

Contact for privacy inquiries: privacy@gloomscroller.com

2. Information We Collect

2.1 Information You Provide

  • Account information: If you choose to sign in with Apple, we receive your Apple user ID and, if you opt in, your Apple relay email address. We do not receive your Apple ID password or your real email address (Apple's Private Email Relay is used).
  • App settings: Your preferences including unlock duration, heart rate threshold, and exercise duration.
  • App selections: Which apps you choose to block using the Screen Time feature. We store app names and categories only — not Apple's internal app tokens.

2.2 Information Collected Automatically

  • Heart rate measurements: BPM (beats per minute) values derived from camera-based photoplethysmography (PPG). These are single integer values per measurement session. These values are stored on your device only and are never transmitted to our servers.
  • Exercise session data: Timestamp, duration, success or failure, and exercise name for each exercise session. Session outcomes (but not heart rate values) may be synced to our cloud service if you sign in.
  • Streak data: Current streak count, longest streak, total unlocks, and successful unlocks.
  • Subscription data: If you purchase a subscription, Apple processes the payment. We receive your subscription status (active/inactive) and entitlement information via RevenueCat. We do not receive your payment method, billing address, or Apple ID.

2.3 Information We Do NOT Collect

  • Camera images or video. Camera frames are processed entirely in your device's memory for PPG heart rate estimation. Frames are never stored to disk, never transmitted over a network, and never sent to any server. Only the derived BPM integer value is retained.
  • Raw PPG signal data. Only the final heart rate value (a single integer) is stored. The raw photoplethysmography waveform data is discarded immediately after processing.
  • Location data. The App does not request or access your location.
  • Contacts. The App does not access your contacts.
  • Browsing history. The App does not access your browsing history.
  • Advertising identifiers (IDFA). The App does not collect or use the Identifier for Advertisers.
  • Screen Time usage reports. The App uses Apple's Screen Time APIs to apply and remove app shields at your request. We do not access Screen Time usage reports, app usage statistics, or any data about how you use other apps.
  • Data from other apps. When you select apps to block via Apple's FamilyActivityPicker, we store only the app names and categories. Apple's internal selection tokens remain on your device and are never transmitted. We have no access to your activity within those apps.

3. How We Use Your Information

We use your information solely to provide and improve the App's core functionality:

  • To provide core features: Blocking selected apps, estimating heart rate via camera PPG, tracking exercise sessions, and managing unlock timers. Heart rate processing occurs entirely on your device.
  • To track your progress: Maintaining your exercise streaks, session history, and personal records.
  • To sync your data across devices: If you sign in with Apple, your settings, streaks, and session history (excluding heart rate values) are synced via our cloud service so you can access them on a new device.
  • To manage subscriptions: If you purchase a subscription, we verify your subscription status to unlock premium features. Subscription management is handled by RevenueCat; payment processing is handled by Apple.

We do NOT use your data for:

  • Advertising or marketing
  • Selling to third parties
  • Health profiling or automated medical decisions
  • Cross-app tracking
  • Behavioral targeting or user segmentation

4. How We Share Your Information

4.1 Service Providers

We use the following service providers to operate the App:

  • Supabase (cloud database and authentication provider): Stores your profile, settings, session outcomes (not heart rate values), and streaks. Data is encrypted at rest and in transit. Subject to Supabase's privacy policy and Data Processing Agreement. Supabase servers are located in the United States.
  • Apple (Sign in with Apple authentication and payment processing): If you use Sign in with Apple, authentication is handled by Apple's identity services. All in-app purchases are processed by Apple through the App Store. Subject to Apple's privacy policy.
  • RevenueCat (subscription management): Manages subscription status, receipt validation, and entitlement checks. RevenueCat receives your anonymous app user ID, subscription purchase history, and entitlement status. RevenueCat does not receive your name, email, health data, or app usage data. Subject to RevenueCat's privacy policy. RevenueCat servers are located in the United States.
  • Superwall (paywall presentation): Displays subscription offer screens and enables A/B testing of pricing presentation. Superwall receives your anonymous app user ID and subscription status. Superwall may collect paywall interaction analytics (e.g., whether you viewed or dismissed a paywall). Superwall does not receive your name, email, health data, or app usage data. Subject to Superwall's privacy policy.

4.2 We Do Not Share Your Data With

  • Advertisers or advertising networks
  • Data brokers
  • Any third parties not listed in Section 4.1

4.3 We Do Not Sell or Share Your Personal Information

Gloom Scroller does not sell, rent, or share your personal information with third parties for monetary or other valuable consideration. We do not engage in cross-context behavioral advertising. This applies to all users, including California residents under the CPRA.

5. Data Storage and Security

  • Local data: App data, including settings, streaks, onboarding state, and heart rate / BPM readings, is stored in AsyncStorage on your device. Heart rate and BPM data is stored on your device only and is never transmitted to our servers. AsyncStorage is not encrypted by default but benefits from iOS Data Protection (file-level encryption when your device is locked with a passcode).
  • Sensitive credentials: Session tokens and authentication credentials are stored in the iOS Keychain via expo-secure-store, which provides hardware-backed encryption on devices with Secure Enclave.
  • Cloud data: If you sign in, non-health data (settings, session outcomes, streaks, achievements) is stored in Supabase PostgreSQL, encrypted at rest (AES-256) and in transit (TLS 1.2+). Supabase servers are located in the United States. Heart rate values are never stored in the cloud.
  • App Group data: Operational data shared between the App and its extensions (shield state, expiry timestamp, threshold values) is stored in shared UserDefaults. This data is not encrypted by default but benefits from iOS Data Protection. No secrets or credentials are stored in App Group data.
  • Camera frames: Processed in volatile memory only. Never written to disk or transmitted.
  • Row Level Security (RLS): Our database enforces row-level security policies ensuring you can only access your own data.

6. Data Retention

  • Your data is retained as long as your account is active.
  • You can delete all data at any time from Settings > Reset Everything.
  • On account deletion:
    • All local data (AsyncStorage, Keychain, App Group) is permanently removed from your device.
    • All cloud data is permanently removed from our servers via cascading database deletion.
    • If you signed in with Apple, your Apple Sign-In credential is programmatically revoked.
  • Server-side backups are purged within 30 days of account deletion.

7. Your Rights

7.1 All Users

  • Access your data: Request a copy of your personal data by contacting us at privacy@gloomscroller.com. Where required by applicable law, we will provide it in a structured, commonly used, and machine-readable format.
  • Delete your data: Permanently delete all local and cloud data from Settings > Reset Everything.
  • Modify your data: Update your settings and recalibrate your baseline heart rate at any time.

7.2 European Economic Area Users (GDPR)

If you are located in the European Economic Area, you have additional rights under the GDPR:

  • Right to access (Article 15): Request a copy of your personal data.
  • Right to erasure (Article 17): Request deletion of your personal data.
  • Right to rectification (Article 16): Request correction of inaccurate data.
  • Right to data portability (Article 20): Receive the data you have provided to us in a structured, commonly used, and machine-readable format where this right applies.
  • Right to restrict processing (Article 18): You can disable cloud sync by not signing in with Apple. All data remains local-only.
  • Right to object (Article 21): You may object to processing carried out under legitimate interest. For camera frame processing (see lawful basis below), you can stop any measurement at any time by closing the measurement screen. We do not use your data for direct marketing, so the unconditional right to object to marketing does not arise.
  • Right to lodge a complaint: You may lodge a complaint with your local data protection supervisory authority.

Lawful basis for processing:

  • Heart rate data: Explicit consent (Article 9 — special category health data). Heart rate data is processed and stored entirely on your device and is never transmitted to any server. Consent is obtained through a clear in-app consent prompt before your first heart rate measurement. See Section 1 for withdrawal details. Article 9 applies to on-device processing of special-category data by a controller-designed app.
  • App settings, session data, authentication: Contract performance (Article 6(1)(b) — necessary to provide the service you signed up for).
  • Camera frames: Legitimate interest (Article 6(1)(f) — transient, in-memory processing where no personal data is derived from the visual content of frames; frames are never stored or transmitted). Your interests are protected because frames exist only in volatile memory for milliseconds and are discarded immediately after BPM extraction.

Non-health personal data (settings, session outcomes, streaks) may be transferred to and stored in the United States if you sign in. Where required by applicable law, we rely on contractual and technical safeguards designed to protect those transfers. Heart rate data is never transferred across borders — it remains on your device.

To exercise your GDPR rights, contact us at privacy@gloomscroller.com.

7.2a United Kingdom Users (UK GDPR)

If you are located in the United Kingdom, you have equivalent rights under the UK GDPR. The rights and lawful bases described in Section 7.2 apply equally under the UK GDPR. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Heart rate data is never transmitted to any server, so no cross-border transfer of health data occurs.

To exercise your UK GDPR rights, contact us at privacy@gloomscroller.com.

7.3 California Users (CPRA/CCPA)

If you are a California resident, you have rights under the California Privacy Rights Act:

  • Right to know / access: This privacy policy discloses the categories of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it. You may also request access to the specific pieces of personal information we have collected about you.
  • Right to delete: Delete all your data from Settings > Reset Everything.
  • Right to correct: Modify your settings and recalibrate your baseline heart rate.
  • Right to opt-out of sale or sharing: We do not sell or share your personal information. No opt-out is necessary.
  • Right to limit use of sensitive personal information: Heart rate data (sensitive personal information under CPRA) is processed and stored entirely on your device. It is never transmitted to any server or shared with any service provider. It is used solely for exercise verification — the disclosed purpose.
  • Right to non-discrimination: You will receive the same service regardless of whether you exercise your privacy rights.

To exercise your CPRA/CCPA rights, contact us at privacy@gloomscroller.com.

7.4 Australian Users (Privacy Act 1988)

If you are located in Australia, you have rights under the Australian Privacy Principles (APPs):

  • Access to your data (APP 12): Request access to your personal information by contacting us at privacy@gloomscroller.com.
  • Correction of your data (APP 13): Modify your settings and recalibrate baseline heart rate at any time.
  • Cross-border disclosure (APP 8): Non-health data (settings, session outcomes, streaks) may be stored on servers located in the United States by our service provider, Supabase. Heart rate data is never transmitted to any server. We have contractual arrangements in place (Data Processing Agreement) to ensure your data is protected to a standard equivalent to the Australian Privacy Principles. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+), and access is restricted by Row Level Security policies.
  • Notifiable Data Breaches: In the event of an eligible data breach likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by Part IIIC of the Privacy Act 1988.
  • Complaints: You may lodge a complaint with the OAIC at oaic.gov.au if you believe we have breached the Australian Privacy Principles.

To exercise your rights under the Australian Privacy Act, contact us at privacy@gloomscroller.com.

7.5 New Zealand Users (Privacy Act 2020)

If you are located in New Zealand, you have rights under the Privacy Act 2020 and the Information Privacy Principles (IPPs), including:

  • Access to your personal information (IPP 6): You may request access to the personal information we hold about you.
  • Correction of your personal information (IPP 7): You may request correction of the personal information we hold about you.
  • Overseas disclosure transparency (IPP 12): Non-health data (settings, session outcomes, streaks) may be stored on servers located in the United States by our service providers. Heart rate data is never transmitted to any server.
  • Privacy breach notification: If a privacy breach occurs that is likely to cause serious harm, we will notify the Office of the Privacy Commissioner (OPC) and affected individuals where required by law.
  • Complaints: You may lodge a complaint with the OPC at privacy.org.nz.

We will respond to New Zealand privacy requests within the time required by applicable law, including the 20 working day period that generally applies to access and correction requests, unless an extension applies.

7.6 US State Consumer Health Data Laws

Heart rate data collected by the App is processed and stored entirely on your device. It is never transmitted to any server, shared with any service provider, or transferred across borders. You can delete all heart rate data at any time from Settings > Reset Everything.

This applies to all US states, including jurisdictions with consumer health data laws such as Washington (My Health My Data Act), Connecticut, and others.

8. Age and Children's Privacy

Gloom Scroller is intended for users aged 18 and older. We do not knowingly collect personal information from minors. If we become aware that a user is under 18, we will take steps to delete their information promptly.

The App Store content rating for Gloom Scroller is 13+ in most regions (based on Apple's content questionnaire). That rating reflects Apple's content-classification system and does not override our contractual minimum age of 18.

9. App Tracking Transparency

Gloom Scroller does not track you across apps or websites owned by other companies. We do not use the IDFA (Identifier for Advertisers), and we do not include any advertising SDKs or cross-app tracking tools. The App Tracking Transparency framework is not required because no tracking occurs.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via an in-app notification. The "Last Updated" date at the top of this policy indicates when the most recent changes were made.

Your continued use of the App after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

  • Email: privacy@gloomscroller.com
  • Subject line: "Privacy Inquiry — Gloom Scroller"

We will respond to privacy inquiries within 30 days, or within any shorter period required by applicable law.